Advanced Settings

The Advanced Settings page allows you to configure Nessus manually. You can configure advanced settings from the Nessus user interface, or from the command-line interface. Nessus validates your input values to ensure only valid configurations.

Nessus groups the advanced settings into the following categories:


  • Advanced settings apply globally across your Nessus instance.

  • To configure advanced settings, you must use a Nessus administrator user account.
  • Nessus does not automatically update all advanced settings.
  • Changes may take several minutes to take effect.
  • Nessus indicates the settings that require restarting for the change to apply with the icon.
  • Custom policy settings supersede the global advanced settings.

User Interface




Default Valid Values

Allow Post-Scan Editing


Allows a user to make edits to scan results after the scan is complete.

yes yes or no
Disable API disable_api Disables the API, including inbound HTTP connections. Users cannot access Nessus via the user interface or the API.


yes or no

Disable Frontend disable_frontend Disables the Nessus user interface. Users can still use the API.


yes or no

Disable Tenable News disable_rss In Nessus Essentials or Nessus Professional trial, the left navigation bar shows a Tenable news widget. Use this setting to disable the widget.


yes or no

Disable user interface disable_ui Disables the user interface on managed scanners. no yes or no
Login Banner login_banner

A text banner that appears after you attempt to log in to Nessus.

Note: The banner only appears the first time you log in on a new browser or computer.

None String

Maximum Concurrent Web Users


Maximum web users who can connect simultaneously.



If set to 0, there is no limit.

Nessus Web Server IP


IPv4 address to listen for incoming connections. If set to, this restricts access to local connections only. String in the format of an IP address
Nessus Web Server Port xmlrpc_listen_port The port that the Nessus web server listens on. 8834 Integers
Use Mixed Vulnerability Groups scan_vulnerability_groups_mixed When enabled, Nessus shows the severity level as Mixed for vulnerability groups, unless all the vulnerabilities in a group have the same severity. When disabled, Nessus shows the highest severity indicator of a vulnerability in a group yes Yes or No
Use Vulnerability Groups scan_vulnerability_groups When enabled, Nessus groups vulnerabilities in scan results by common attributes, giving you a shorter list of results. yes yes or no





Default Valid Values
Audit Trail Verbosity audit_trail Controls verbosity of the plugin audit trail. Full audit trails include the reason why Nessus did not include certain plugins in the scan. full full, partial, none
Auto Enable Plugin Dependencies auto_enable_dependencies Automatically activates the plugins that are depended on. If disabled, not all plugins may run despite being selected in a scan policy. yes yes or no
CGI Paths for Web Scans cgi_path

A colon-delimited list of CGI paths to use for web server scans.


Engine Thread Idle Time engine.idle_wait Number of seconds a scan engine remains idle before shutting itself down. 60 Integers 0-600
Max Plugin Output Size plugin_output_max_size_kb

The maximum size, in KB, of plugin output that Nessus includes in the exported scan results with the .nessus format. If the output exceeds the maximum size, Nessus truncates the output in the report.



If set to 0, there is no limit.

Maximum Ports in Scan Reports report.max_ports The maximum number of allowable ports. If there are more ports in the scan results than this value, Nessus discards the excess. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in the deletion of valid results from the scan results database, so you may want to increase the default if this is a problem. 1024 Integers
Maximum Size for E-mailed Reports attached_report_maximum_size Specifies the maximum size, in MB, of any report attachment. If the report exceeds the maximum size, then it is not attached to the email. Nessus does not support report attachments larger than 50 MB. 25 Integers 0-50
Nessus Rules File Location rules

Location of the Nessus rules file (nessusd.rules).

The following are the defaults for each operating system:



Mac OS X:




Nessus config directory for your operating system String
Non-Simultaneous Ports non_simult_ports Specifies ports against which two plugins you cannot run simultaneously. 139, 445, 3389 String
Paused Scan Timeout paused_scan_timeout The duration, in minutes, that a scan can remain in the paused state before Nessus terminates it. 0 Integers 0-10080
PCAP Snapshot Length pcap.snaplen The snapshot size used for packet capture; the maximum size of a captured network packet. Typically, Nessus sets this value automatically based on the scanner's NIC. However, depending on your network configuration, Nessus may truncate the packages, resulting in the following message in your scan report: "The current snapshot length of ### for interface X is too small." You can increase the length to avoid packet truncation. 0 Integers 0-262144
Port Range port_range The default range of ports that the scanner plugins probe. default

default, all, a range of ports, a comma-separated list of ports and/or port ranges.

Specify UDP and TCP ports by prefixing each range by T: or U:.

Reverse DNS Lookups reverse_lookup When enabled, Nessus identifies targets by their fully qualified domain name (FQDN) in the scan report. When disabled, the report identifies the target by hostname or IP address. no yes or no
Safe Checks safe_checks

When enabled, Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability.

yes yes or no
Silent Plugin Dependencies silent_dependencies When enabled, Nessus does not include the list of plugin dependencies and their output in the report. You can select a plugin as part of a policy that depends on other plugins to run. By default, Nessus runs those plugin dependencies, but does not include their output in the report. When disabled, Nessus includes both the selected plugin and any plugin dependencies in the report. yes yes or no
Slice Network Addresses slice_network_addresses If you set this option, Nessus does not scan a network incrementally (, then, then, and so on) but attempts to slice the workload throughout the whole network (for example, it scans, then, then, then, and so on). no yes or no
System Default Severity Basis severity_basis

In Nessus scanners and Nessus Professional, you can choose whether Nessus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by configuring your default severity base setting.

When you change the default severity base, the change applies to all existing scans that are configured with the default severity base. Future scans also use the default severity base.

For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR.

Note: This setting is not available for Nessus Manager.
On a new installation of Nessuscvss_v3

On preexisting upgraded instance: cvss_v2

cvss_v2 or cvss_v3





Default Valid Values
Nessus Scanner Log Location logfile

Location where Nessus stores its scanner log file.

The following are the defaults for each operating system:



Mac OS X:




Nessus log directory for your operating system String
Log Additional Scan Details log_details When enabled, scan logs include the username, scan name, and current plugin name in addition to the base information. You may not see these additional details unless you also enable log_whole_attack. no yes or no
Log File Rotation logfile_rot

Determines whether Nessus rotates log files based on maximum rotation size or rotation time.


size—Nessus rotates log files based on size, as specified in logfile_max_size.

time—Nessus rotates log files based on time, as specified in logfile_rotation_time.

Log Verbose Scan Details log_whole_attack Logs verbose details of the scan. Helpful for debugging issues with the scan, but this may be disk intensive. To add more details, enable log_details. no yes or no
Nessus Dump File Location dumpfile

Location of nessusd.dump, a log file for debugging output if generated.

The following are the defaults for each operating system:



Mac OS X:




Nessus log directory for your operating system

Nessus Dump File Log Level nasl_log_type

The type of NASL engine output in nessusd.dump.

normal normal, none, trace, or full.
Nessus Dump File Max Files dumpfile_max_files The maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, Nessus deletes the oldest dump file. 100 Integers 1-1000
Nessus Dump File Max Size dumpfile_max_size The maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, Nessus creates a new dump file. 512 Integers 1-2048
Nessus Log Level backend_log_level

The logging level of the backend.log log file, as indicated by a set of log tags that determine what information to include in the log.

If you manually edited log.json to set a custom set of log tags for backend.log, this setting overwrites that content.

For more information, see log.json Format.

  • normal — sets log tags to log, info, warn, error, trace
  • debug — sets log tags to log, info, warn, error, trace, debug
  • verbose — sets log tags tolog, info, warn, error, trace, debug, verbose
Scanner Metric Logging scanner.metrics Enables scanner performance metrics data gathering. 0

0 (off), 0x3f (full data except plugin metrics), 0x7f (full data including plugin metrics)

Note: Including plugin metrics greatly increases the size of the log file. Nessus does not automatically clean up log files.

Use Milliseconds in Logs logfile_msec When enabled, nessusd.messages and nessusd.dump log timestamps are in milliseconds. When disabled, log timestamps are in seconds. no yes or no





Default Valid Values
Engine Logging global.log.engine_details When enabled, logs additional information about which scan engine you assigned each target to during scanning. no yes or no
Database Synchronous Setting db_synchronous_setting

Control how database updates are synchronized to disk.

NORMAL is faster, with some risk of data loss during unexpected system shutdowns (for example, during a power outage or crash).

FULL is safer, with some performance cost.

Engine Thread Pool Size thread_pool_size The size of the pool of threads available for use by the scan engine. You can defer asynchronous tasks to these threads, and this value controls the maximum number of threads. 200 Integers 0-500
Global Max Hosts Concurrently Scanned global.max_hosts

Maximum number of hosts that Nessus can scan simultaneously across all scans.

Varies depending on hardware

Global Max TCP Sessions global.max_simult_tcp_sessions Maximum number of simultaneous TCP sessions across all scans.

50 for desktop operating systems (for example, Windows 10).

50000 for other operating systems (for example, Windows Server 2016).


Max Concurrent Checks Per Host max_checks

Maximum number of simultaneous plugins that can run concurrently on each host.



Max Concurrent Hosts Per Scan max_hosts Maximum number of hosts checked at one time during a scan. Varies, up to 100.


If set to 0, defaults to 100.

Max Concurrent Scans global.max_scans Maximum number of simultaneous scans that the scanner can run. 0

Integers 0-1000

If set to 0, there is no limit.

Max Engine Threads engine.max Maximum number of scan engines that run in parallel. Each scan engine scans multiple targets concurrently from one or more scans (see engine.max_hosts). 8 times the number of CPU cores on the machine Integers
Max Engine Checks engine.max_checks

Maximum number of simultaneous plugins that can run concurrently on a single scan engine.

64 Integers
Max Hosts Per Engine Thread engine.max_hosts Maximum number of targets that run concurrently on a single scan engine. 16 Integers
Max HTTP Connections max_http_connections The number of simultaneous connection attempts before the web server responds with HTTP code 503 (Service Unavailable, Too Many Connections). 600 Integers
Max HTTP Connections Hard max_http_connections_hard

The number of simultaneous connection attempts before the web server does not allow further connections.

3000 Integers
Max TCP Sessions Per Host host.max_simult_tcp_sessions

Maximum number of simultaneous TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if you set this option to 15, the SYN scanner sends 150 packets per second at most.



If set to 0, there is no limit.

Max TCP Sessions Per Scan max_simult_tcp_sessions Maximum number of simultaneous TCP sessions for the entire scan, regardless of the number of hosts the scanner is scanning. 0

Integers 0-2000.

If set to 0, there is no limit.

Minimum Engine Threads engine.min The number of scan engines that start initially as Nessus scans the targets. After the engine reaches engine.optimal_hosts number of targets, Nessus adds more scan engines up to engine.max. 2 times the number of CPU cores on the machine Integers
Optimize Tests optimize_test Optimizes the test procedure. If you disable this setting, scans may take longer and typically generate more false positives. yes yes or no
Optional Hosts Per Engine Thread engine.optimal_hosts The minimum number of targets that are running on each scan engine before Nessus adds more engines (up to engine.max). 2 Integers
Plugin Check Optimization Level optimization_level

Determines the type of check that Nessus performs before a plugin runs.

If you set this setting to open_ports, then Nessus checks that required ports are open; if they are not, the plugin does not run.

If you set this setting to required_keys, then Nessus performs the open port check, and also checks that required keys (KB entries) exist, ignoring the excluded key check.

None open_ports or required_keys
Plugin Timeout plugins_timeout Maximum lifetime of a plugin’s activity in seconds. 320 Integers 0-1000
QDB Memory Usage qdb_mem_usage Directs Nessus to use more or less memory when idle. If Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Nessus is running on a shared machine, setting this to low uses considerably less memory, but has a moderate performance impact. low low or high
Reduce TCP Sessions on Network Congestion reduce_connections_on_congestion Reduces the number of TCP sessions in parallel when the network appears to be congested. no yes or no
Scan Check Read Timeout checks_read_timeout

Read timeout for the sockets of the tests.

5 Integers 0-1000
Stop Scan on Host Disconnect stop_scan_on_disconnect When enabled, Nessus stops scanning a host that disconnects during the scan. no yes or no
Webserver Thread Pool Size www_thread_pool_size The thread pool size for the webserver/backend. 100 Integers 0-500
XML Enable Plugin Attributes xml_enable_plugin_attributes When enabled, Nessus includes plugin attributes in exported scans to no yes or no





Default Valid Values
Always Validate SSL Server Certificates strict_certificate_validation

Always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA).

no yes or no
Cipher Files on Disk cipher_files_on_disk Encipher files that Nessus writes. yes yes or no
Force Public Key Authentication force_pubkey_auth Force logins for Nessus to use public key authentication. no yes or no
Max Concurrent Sessions Per User max_sessions_per_user Maximum concurrent sessions per user 0

Integers 0-2000.

If set to 0, there is no limit.

SSL Cipher List ssl_cipher_list

Cipher list to use for Nessus backend connections. You can use a preconfigured list of cipher strings, or enter a custom cipher list or cipher strings.


  • legacy - A list of ciphers that can integrate with older and insecure browsers and APIs.
  • compatible - A list of secure ciphers that is compatible with all browsers, including Internet Explorer 11. May not include all the latest ciphers.

  • modern - A list of the latest and most secure ciphers. May not be compatible with older browsers, such as Internet Explorer 11.

  • custom - A custom OpenSSL cipher list. For more information on valid cipher list formats, see the OpenSSL documentation.
  • niap - A list of ciphers that conforms to NIAP standards.


SSL Mode ssl_mode

Minimum supported version of TLS.

  • compat - TLS v1.0+
  • ssl_3_0 - SSL v3+
  • tls_1_1 - TLS v1.1+
  • tls_1_2 - TLS v1.2+
  • niap - TLS v1.2

Agents & Scanners

Note: The following settings are only available in Nessus Manager.




Default Valid Values
Agent Auto Delete agent_auto_delete Controls whether agents are automatically removed after they have been inactive for the duration of time set for agent_auto_delete_threshold. no yes or no
Agent Auto Delete Threshold agent_auto_delete_threshold The number of days after which inactive agents are automatically removed if agent_auto_delete is set to yes. 30 Integers 1-365
Agents Progress agents_progress_viewable When a scan gathers information from agents, Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. 100


If set to 0, this defaults to 100.

Automatically Download Agent Updates agent_updates_from_feed

When enabled, new Nessus Agent software updates are automatically downloaded.

yes yes or no
Concurrent Agent Software Updates cloud.manage.download_max The maximum concurrent agent update downloads. 10 Integers
Include Audit Trail Data agent_merge_audit_trail

Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance.

If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail.

false true or false
Include KB Data agent_merge_kb

Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance.

If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB.

false true or false
Result Processing Journal Mode agent_merge_journal_mode

Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.





Result Processing Sync Mode agent_merge_synchronous_setting

Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.





Track Unique Agents track_unique_agents When enabled, Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Nessus Manager deletes duplicates that it finds. no yes or no


Note: The following settings are only available in Nessus Manager with clustering enabled.




Default Valid Values
Agent Blacklist Duration Days agent_blacklist_duration_days

The number of days that an agent remains blocked from relinking to a cluster node.

For example, Nessus blocks an agent if it tries to link with a UUID that matches an existing agent in a cluster.

Note: Nessus blocks an agent after Nessus deletes or removes the agent due to inactivity. However, Nessus places the agent back in good standing if an administrator manually unlinks and relinks the agent.


Integers > 0

Agent Clustering Scan Cutoff agent_cluster_scan_cutoff Nessus aborts scans after running this many seconds without a child node update. 3600 Integers > 299
Agent Node Global Maximum Default agent_node_global_max_default

The global default maximum number of agents allowed per cluster node.

If you set an individual maximum for a child node, that setting overrides this setting.

10000 Integers 0-20000





Default Valid Values
Automatic Update Delay auto_update_delay Number of hours that Nessus waits between automatic updates. 24

Integers > 0

Automatic Updates auto_update

Automatically updates plugins. If you enable this setting and register Nessus, Nessus automatically gets the newest plugins from Tenable when they are available. If your scanner is on an isolated network that is not able to reach the internet, disable this setting.

Note: This setting does not work for Nessus scanners that you connected to Scanners linked to automatically receive updates from For more information, see the knowledge base article.

yes yes or no
Automatically Update Nessus auto_update_ui

Automatically download and apply Nessus updates.

Note: This setting does not work for Nessus scanners that you connected to Scanners linked to automatically receive updates from For more information, see the knowledge base article.

yes yes or no
Initial Sleep Time ms_agent_sleep (Nessus Manager only) Sleep time between managed scanner and agent requests. You can override this setting in Nessus Manager or 30 Integers 5-3300
Java Heap Size java_heap_size

Determines Java heap size (the system memory used to store objects instantiated by applications running on the Java virtual machine) Nessus uses when exporting PDF reports.

auto auto or Integers > 0
Max HTTP Client Requests max_http_client_requests Determines the maximum number of concurrent outbound HTTP connections on managed scanners and agents. 4 Integers > 0
Nessus Debug Port dbg_port The port on which nessusd listens for ndbg client connections. If left empty, Nessus does not establish a debug port. None String in one of the following formats:  port or localhost:port or ip:port
Nessus Preferences Database config_file

Location of the configuration file that contains the engine preference settings.

The following are the defaults for each operating system:



Mac OS X:




Nessus database directory for your operating system String
Non-User Scan Result Cleanup Threshold report_cleanup_threshold_days The age threshold (in days) for removing old system-user scan reports. 30 Integers > 0
Orphaned Scan History Cleanup orphaned_scan_cleanup_days

Number of days after which Nessus removes orphaned scans. For example, an orphaned scan could be a scan executed via that was not properly removed.

If set to 0, Nessus does not perform a cleanup.

30 Integers > 0
Path to Java path_to_java Custom path to Java for PDF exports. If not set, Nessus uses the system path. None


Must be an absolute file path.

Remote Scanner Port remote_listen_port This setting allows Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port). By adding this setting, you can link your managed scanners and agents a different port (for example, 9000) instead of the port defined in xmlrpc_listen_port (default 8834). None Integer
Report Crashes to Tenable report_crashes When enabled, Nessus sends crash information to Tenable, Inc. automatically to identify problems. Nessus does not send personal or system-identifying information to Tenable, Inc.. yes yes or no
Scan Source IP(s) source_ip Source IPs to use when running on a multi-homed host. If you provide multiple IPs, Nessus cycles through them whenever it performs a new connection. None IP address or comma-separated list of IP addresses.
Send Telemetry send_telemetry

When enabled, Nessus periodically and securely sends non-confidential product usage data to Tenable.

Usage statistics include, but are not limited to, data about your visited pages within the Nessus interface, your used reports and dashboards, your Nessus license, and your configured features. Tenable uses the data to improve your user experience in future Nessus releases. You can disable this option at any time to stop sharing usage statistics with Tenable.

yes yes or no
User Scan Result Deletion Threshold scan_history_expiration_days The number of days after which Nessus deletes the scan history and data for completed scans permanently. 0

0 or integers larger than or equal to 3.

If set to 0, Nessus retains the history.


Not all advanced settings are populated in the Nessus user interface, but you can set some settings in the command-line interface. If you create a custom setting, it appears in the Custom tab.

The following table lists the advanced settings that you can configure, even though Nessus does not list them by default.



Default Valid Values

Adds a classification banner to the top and bottom of the Nessus user interface, and turns on last successful and failed login notification.

None UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner).

When disabled, to avoid overwhelming a host, prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete.

When enabled, a scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but scan targets could potentially become overwhelmed, causing timeouts and incomplete results.

no yes or no

Supports merging plugin results for plugins that generate multiple findings with the same host, port, and protocol. Tenable recommends enabling this option for scanners linked to

no yes or no
nessus_syn_scanner.global_throughput.max Sets the max number of SYN packets that Nessus sends per second during its port scan (no matter how many hosts Nessus scans in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets. 65536 Integers

A text banner shows that appears after you attempt to log in to Nessus. The banner only appears the first time you log in on a new browser or computer.

None String

timeout.<plugin ID>

Enter the plugin ID in place of <plugin ID>. The maximum time, in seconds, that Nessus permits the <pluginID> to run before Nessus stops it. If you set this option for a plugin, this value supersedes plugins_timeout. None Integers 0-86400